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METHOD AND DEVICE FOR STORING A COMPUTER PROGRAM IN A PROGRAM 

MEMORY OF A CONTROL UNIT 



Background Information 

The present invention relates to a method for storing a 
5 computer program in a program memory of a control unit, the 

computer program being stored according to predef inable rules 
in specific memory areas of the program memory. 

In addition, the present invention relates to a device for 
10 storing a computer program in a program memory of a control 
unit, the device having first means for storing the computer 
program according to predefinable rules in specific memory 
areas of the program memory. 

15 Finally, the present invention relates to a control unit 

having a computing unit, in particular a microprocessor, and a 
program memory, on which a program is stored according to 
predefinable rules in specific memory areas of the program 
memory . 

20 

In motor vehicle control units, for example, locating the 
program code of a computer program for a computing unit, in 
particular for a microprocessor or for a CPU (central 
processing unit) , and for any existing coprocessors, in 

25 accordance with an address mapping valid for the particular 
control unit and storing the code in a program memory of the 
control unit is known from the related art. Locating is 
understood as the assignment of specific parts of the computer 
program, known as program segments, to specific memory areas 

3 0 of the program memory. 
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According to the related art, the program code is located and 
stored in the program memory according to predefinable rules, 
which take the following facts into consideration in 
particular : 

program segments which are frequently called are located 
in memory areas which allow rapid program execution, 
i.e., rapid execution of the program segments on the 
microprocessor or the CPU. These program segments (for 
example, the program code of rapid time grids) may be 
stored in an internal flash memory of the control unit. 

The access possibilities to the program memory in the 
event of specific system states as a function of the 
hardware. Thus, for example, the internal flash memory 
may not be accessible in the event of undervoltage . In 
order to allow for this system state, the program 
segments which are to be reliably accessed in spite of 
undervoltage are located in an external flash memory and 
stored there. 

In the framework of the present invention, the flash area 
which is located inside the CPU housing is referred to as an 
internal flash memory. In contrast, a separate IC (integrated 
circuit) component which may be accessed by the CPU via an 
external bus is referred to as an external flash memory. 

Locating is performed after assembling, compiling, and linking 
the program code and before the computer program is stored in 
the program memory of the control unit. Overall, the method of 
storing a computer program in a program memory of a control 
unit, known from the related art, results in program segments 
being distributed to different, non- contiguous address areas 
of the program memory. 
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During execution of the computer program stored in the program 
memory on a computing unit, in particular on a microprocessor 
or a CPU, it may occur for various reasons that the computer 
program jumps into unused memory areas of the program memory, 
5 in which no program code is stored. According to the related 
art, no defined program code is stored in the unused memory 
areas. After a jump into the unused memory area of the program 
memory, this undefined program code is therefore executed. In 
this way, the control unit may reach an undefined and 
10 therefore irregular state. 

Causes for a jump of the computer program into the unused 
memory area of the program memory may be internal and external 
influences, for example, bit inversion in the flash memory or 
15 in a RAM (random access memory) , the effects of excess EMC 
(electromagnetic compatibility) radiation, or latent 
programming errors . 

Furthermore, various mechanisms are known from the related art 
20 for recognizing an irregular state of the control unit and 
first transferring the system into a safe state and second 
ensuring the functionality of the control unit again. These 
known mechanisms include, for example: 

25 - an internal controller watchdog; 

monitoring of time grids; 

a two-computer concept; 

30 

monitoring of the program execution for plausibility; 
a check sum test. 
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Through the exemplary mechanisms listed, the attempt is made 
to recognize, directly or indirectly, bit inversions in the 
flash memory or in the RAM, , influences by electromagnetic 
radiation (EMC) , or implausible states such as latent 
5 programming errors (e.g., jumps via miscalculated pointers), 

to transfer the control unit into a safe state, and to restore 
the functionality of the control unit. The robustness of the 
system is to be enhanced through the early recognition of 
irregular or undefined states of the control unit. The 
10 availability of the system is to be improved by rapidly 
restoring the functionality of the control unit. 

Not transferring a monitoring system for a measurement and 
control device into a safe state immediately upon the 

15 occurrence of a malfunction of the measurement and control 

device, but only after multiple occurrences of a malfunction, 
is known from German Patent Application 100 18 859 Al . Upon 
each occurrence of a malfunction, the count of a counter is 
increased. If the count exceeds a predefinable limit value, 

20 the monitoring system enters the safe state. 

The present invention is based on the object of providing a 
further mechanism, through which undefined or irregular states 
of the control unit may be recognized, and the control unit 
25 may be transferred into a safe state and the functionality of 
the control unit may be restored. 

To achieve this object, the present invention suggests, on the 
basis of the method of the type initially cited, that 
3 0 predefinable information which causes the control unit to be 
transferred into a defined state be stored in unused memory 
regions of the program memory, in which the computer program 
is not stored. 

3 5 Advantages of the Invention 
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An essential aspect of the present invention is therefore 
storing predefinable information, preferably a specific 
program code which causes the control unit to be transferred 
into a defined state, in the unused memory areas of the 
5 program memory, instead of the undefined program code. In 
addition, the functionality of the control unit may be 
restored through the predefinable information. 

The present invention relates to a mechanism which prevents 
10 the computing unit, in particular the microprocessor or the 

CPU, from executing memory areas which are actually unused in 
the corresponding state of the computer program and therefore 
must not be used for program execution. If the computing unit 
branches into these memory areas, an implausible state exists 
15 in any case. In order to nonetheless be able to control the 

further execution of the computer program through this unused 
memory area and prevent a random return into existing program 
code of the computer program, this memory area is to be at 
least partially filled using a special program code, which 
20 causes the computing unit to be transferred into a defined 

state in a controlled way. The special program code preferably 
causes the computing unit to leave the unused memory area. 

In order to obtain a diagnosis about the origin of the error 

2 5 which resulted in the jump into the unused memory area of the 

program memory, additional historical information may be 
stored in an interrupt service routine or in an error handling 
routine . 

3 0 It is recognized as soon as a jump is made into an unused 

memory area and/or as soon as program instructions are 
executed from this memory area. The control unit is reset 
immediately or only after special error handling. The system 
is set back into a defined, operational state through a 
'35 subsequent start-up of the control unit program. After the 
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start-up of the control unit, the normal functionality of the 
control unit may be continued if there is no permanent error. 

The mechanism suggested according to the present invention 
5 offers a protective measure against program execution in the 
unused memory areas of a program memory, which must not be 
used in the corresponding state of the computer program. 
Through the present invention, the robustness of a computer 
program for a control unit is enhanced and the availability of 

10 the control unit is markedly improved. The occurrence of an 

implausible and/or irregular state is recognized immediately. 
In addition, implementation in existing software of all 
control units is possible. The mechanism suggested according 
to the present invention may be implemented easily and rapidly 

15 in the control unit software. Since no expansion of the 
program code of the computer program is necessary, no 
additional outlay and no additional costs arise for the 
implementation of the present invention. 

20 It is theoretically conceivable, during the execution of the 
computer program, for a computing unit, in particular a 
microprocessor or a CPU, of the control unit to jump into 
memory areas of the flash memory and/or pass through memory 
areas of the flash memory which are physically present but are 

25 unused in the current state of the computer program. If the 
computing unit erroneously jumps into these unused memory 
areas and/or reads out program code in these unused memory 
areas, the control unit may reach an irregular or undefined 
state. The computing unit will attempt to execute the program 

3 0 code read out of the unused memory areas. If the program code 
does not contain a jump, the computing unit will execute the 
program instructions read out linearly and will very probably 
reenter a memory area having regular program code of the 
computer program at some time. The system behavior during the 

3 5 execution of the program instructions from the unused memory 
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area and the system behavior after a transition into the 
actually used memory area of the flash memory is not defined 
and/or not predictable and must therefore be avoided. This 
behavior is especially critical if it occurs in a time grid 
5 which is itself not checked for plausibility. 

Using the present invention, such an undefined and/or 
irregular state of the control unit may be interrupted again 
immediately, which enhances the robustness of the control 
10 unit. In addition, through suitable selection of the 

predefinable information, the overall system may be rapidly 
transferred back into a safe state and the functionality of 
the control unit may be restored, thus markedly enhancing the 
availability of the control unit. 

15 

According to an advantageous refinement of the present 
invention, the control unit is reset by the execution of the 
predefinable information on a computing unit, in particular on 
a microprocessor or a CPU (central processing unit) , of the 

20 control unit. Therefore, a reset of the control unit is 

intentionally triggered through the information stored in the 
unused memory area. The reset is preferably caused by an 
appropriate program instruction (software reset) or through an 
instruction code which is not present in the computing unit 

25 and is therefore forbidden (illegal opcode) or, for example, 
by a "trap unconditionally" instruction to branch into an 
interrupt service routine and/or an error handling routine. 

According to a preferred embodiment of the present invention, 
3 0 it is suggested that an interrupt service routine be called by 
the execution of the predefinable information on a computing 
unit, in particular on a microprocessor or a CPU, of the 
control unit. In the event of an interrupt, a running computer 
program of a processor is interrupted in favor of a more 
3 5 urgent program. In the event of an interrupt, the processor 
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saves all of the data necessary for the further operation of 
the running computer program in a special memory area, the 
stack memory or stack. After the execution of the interrupt 
service routine, the processor then continues the running 
5 program. In the framework of the program which is invoked by 
the interrupt service routine, the system may be transferred 
into a safe state and the functionality of the control unit 
may be restored. 

10 An error handling routine is advantageously called by the 

execution of the predefinable information on a computing unit, 
in particular on a microprocessor or a CPU, of the control 
unit . 

15 The control unit is preferably reset at the end of the 

interrupt service routine and/or at the end of the error 
handling routine. The reset of the control unit may be caused, 
for example, through an appropriate program instruction 
(software reset) or through an instruction code which is not 

20 present in the computing unit and is therefore forbidden 
(illegal opcode) or, for example, through a "trap 
unconditionally" instruction to branch into an interrupt 
service routine and/or an error handling routine. The reset 
results in a start-up of the control unit program. Information 

2 5 about the precise location of the occurrence and the history 

(e.g., a return address in the computer program) may be stored 
within either the interrupt service routine or the error 
handling routine. Conclusions (for example, about the 
frequency of the occurrence of an error) may be drawn from 

3 0 this information. 

The precise implementation of the present invention is a 
function of the computing unit used, in particular the type of 
microprocessor or CPU used. Various computing units differ, 
3 5 for example, in the instruction set used, which is executed on 
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the computing unit. The precise implementation of the present 
invention is also a function of the desired scope of the 
functionality of the mechanism, i.e., of the desired 
"intelligence" of the recognition, the transfer into a safe 
5 state, and the restoration of the functionality of the control 
unit . 

Storing the predefinable information only in selected unused 
memory areas of the program memory is conceivable. However, 
10 according to an advantageous refinement of the present 

invention, the predefinable information is stored in all 
unused memory areas of the program memory. 

According to a preferred embodiment of the present invention, 
15 it is proposed that at least one unused memory area of the 
program memory be completely filled by the predefinable 
information. Completely filling only selected unused memory 
areas of the program memory using the predefinable 
information, or filling all of the unused areas, is 
20 conceivable. 

According to another preferred embodiment of the present 
invention, the predefinable information is stored in 
predefinable intervals in at least one unused memory area of 
2 5 the program memory, the part of the unused memory area in 

which the predefinable information is not stored not causing 
jumps or endless loops. The predefinable information is 
preferably stored at regular intervals in the at least one 
unused memory area of the program memory. 

30 

According to yet another preferred embodiment of the present 
invention, the predefinable information is merely stored at 
the end of at least one unused memory area of the program 
memory. However, it must be ensured in this case that the part 
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of the unused memory area in which no predefinable information 
is stored does not cause jumps or endless loops. 

As a further achievement of the object of the present 
5 invention, based on the device of the type initially cited, it 
is suggested that the device have second means for storing 
predefinable information, which transfers the control unit 
into a defined state, in unused memory areas of the program 
memory in which the first means have not stored the computer 
10 program. 

According to an advantageous refinement of the present 
invention, the second means are implemented as a hexadecimal 
editor. Using the hexadecimal editor, the unused memory areas, 
15 which are not used in the corresponding state of the computer 
program, may be filled using special hexadecimal code. The 
unused program memory is filled as the state of the computer 
program is produced. 

2 0 According to a preferred embodiment of the present invention, 
the device has means for executing the method according to the 
present invention . 

As yet a further achievement of the object of the present 
25 invention, based on the control unit of the type initially 

cited, it is suggested that predefinable information, through 
which the control unit may be transferred into a defined 
state, be stored in unused memory areas of the program memory 
in which the computer program is not stored. 

30 

According to an advantageous refinement of the present 
invention, the predefinable information according to the 
method according to the present invention is stored in the 
unused memory areas of the program memory. 

35 
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Drawings 



Further features, possible applications, and advantages of the 
present invention result from the following description of 
5 exemplary embodiments of the present invention, which are 
illustrated in the drawing. In this case, all features 
described or illustrated form the object of the present 
invention, alone or in any combination, regardless of their 
wording in the patent claims or their back-references and 
10 regardless of their wording and representation in the 
description and the drawing. 



Figure 1 shows a flowchart of the method according to the 
present invention according to a preferred 
15 embodiment; and 

Figure 2 shows a control unit according to the present 
invention according to a preferred embodiment. 



20 Description of the Exemplary Embodiments 

A sequence of the method according to the present invention 
according to a preferred embodiment is illustrated in Figure 
1. The method according to the present invention begins in a 

25 function block 1. In a function block 2, the program code for 
a specific computer program is generated. The computer program 
is used, for example, for controlling and/or regulating a 
specific functionality in a motor vehicle. In a function block 
3, the computer program generated is assembled, compiled, and 

30 linked. The program code is subsequently located in a function 
block 4. In the framework of the locating, the computer 
program is assigned to specific memory areas of a program 
memory according to predefinable rules. For example, the 
following facts are taken into consideration when locating the 

3 5 program code: 
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Parts of the computer program, known as program segments, 
which are called more frequently (the program code of rapid 
time grids, for example) , are located in memory areas which 
allow rapid program execution, for example, in an internal 
flash memory. 

Program segments which are still to be reliably accessed 
in spite of specific system states dependent on the hardware 
are located in appropriate memory areas which may still be 
accessed even in these system states. If access to an internal 
flash memory is not possible in the event of undervoltage , the 
corresponding program segments are located in an internal 
flash memory. Locating distributes the computer program to 
different, non-contiguous address areas of the program memory. 

The computer program is not stored in some memory areas of the 
program memory, and these memory areas therefore remain 
unused. It is theoretically conceivable for a computing unit, 
in particular a microprocessor or a CPU (central processing 
unit) , to jump into these unused memory areas of the program 
memory and/or pass through these unused memory areas during 
the program execution. 

These unused memory areas are physically present, but are not 
used in the current program state and are therefore free. If 
the computing unit erroneously jumps into these unused memory 
areas and/or reads out program code in these unused memory 
areas, the control unit may reach an undefined and therefore 
irregular state. The computing unit attempts to execute the 
program code read out from the unused memory area. If the 
program code does not contain a jump, the computing unit 
linearly executes the program instructions read in and is 
highly likely to enter a memory area in which the regular 
program code of the program is stored. 
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The system behavior during the execution of program 
instructions from the unused memory area and after a 
transition into the memory area of the program memory actually 
used by the computer program is not predictable and must 
5 therefore be avoided. This behavior is especially critical if 
it occurs in a time grid which is not itself checked for 
plausibility . 

The present invention suggests a further mechanism, through 
10 which this irregular state is interrupted immediately upon its 
occurrence, the overall system is transferred into a safe 
state, and the functionality of the control unit is restored. 
For this purpose, in the method according to the present 
invention, predefinable information is located in the unused 
15 memory area of the program memory in a function block 5. The 
predefinable information causes a reset of the control unit 
when it is executed on the computing unit, in particular on 
the microprocessor or CPU. However, it is also conceivable for 
an interrupt service routine or an error handling routine to 
20 first be called by the execution of the predefinable 

information on the computing unit. At the end of the routine, 
the control unit may then be reset through a software reset, 
for example, and started up again. The control unit is then in 
a defined, completely operational state and may continue with 

2 5 the execution of the computer program. 

The predefinable information may be stored in only part of the 
unused memory areas of the program memory. However, the 
predefinable information is preferably stored in all unused 

3 0 memory areas of the program memory. Furthermore, it is 

possible to store the predefinable information in only part of 
an unused memory area, for example, at the end of the unused 
memory area. However, it must be ensured in this case that the 
part of the unused memory area in which the predefinable 
35 information is not stored does not cause jumps or endless 

588558 13 



loops if the program code contained therein is executed on the 
computing unit. An unused memory area of the program memory 
is, however, preferably completely filled using the 
predef inable information . 

5 

In a function block 6 of the method according to the present 
invention, the program code of the computer program located in 
function block 4 and the predefinable information located in 
function block 5 is stored in the corresponding memory areas 
10 of the program memory. The method according to the present 
invention is ended in a function block 7. 

According to an alternative method according to the present 
invention, which is not shown in the figures, however, all 

15 existing memory areas of the program memory are initially 

filled using the predefinable information. Subsequently, only 
the program code of the computer program obtained from the 
locator is written over this information in the appropriate 
memory areas. This method has the advantage that a check sum 

20 may then be formed over all areas. 

In Figure 2, a control unit according to a preferred 
embodiment of the present invention as a whole is identified 
by reference number 10. Control unit 10 is used, for example, 

25 for controlling and/or regulating specific functionalities in 
a motor vehicle. Control unit 10 includes a CPU (central 
processing unit) component 3 0 and a separate IC (integrated 
circuit) component 31, on which an external flash memory 20 is 
positioned. CPU component 3 0 includes a computing unit 11, 

3 0 which is implemented as a microprocessor or a CPU, for 

example. Computing unit 11 is connected via a first data 
connection 12 to a rapid operating memory 13, which is 
implemented as a static or dynamic RAM (random access memory) . 
Computing unit 11 is connected via a second data connection 14 

35 to an internal flash memory 15 and a ROM (read only memory) 
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16. ROM 16 is a read only memory, in which the BIOS (basic 
input output system) is stored, for example. 

Computing unit 11 is connected via a third data connection 17 
5 and a communication controller 18 to a data bus 19. External 
flash memory 20 is connected to data bus 19, for example, so 
that computing unit 11 may access external flash memory 2 0 via 
data bus 19. Internal flash memory 15 and external flash 
memory 2 0 form the program memory, in which computer program 

10 21 is stored in specific memory areas and predefinable 

information 22 is stored in the remaining unused memory areas. 
Computing unit 11 is connected via a fourth data connection 23 
to an interface 24, via which a device 25 for storing computer 
program 21 and predefinable information 22 may be connected to 

15 the memory areas of the program memory provided for this 
purpose . 

The related art, in which an erroneous jump is made (arrow 27) 
into the following unused memory area of flash memory 15 

2 0 during the execution of computer program 21 (arrow 26) , will 

be described on the basis of internal flash memory 15. 
Computing unit 11 reads out program instructions from the 
unused memory area and executes them (arrow 28) . Since the 
program instructions read out of the unused memory area are 
25 predefinable information, through which control unit 10 is 
transferred into a defined state, there is no danger in the 
present invention that computer program 21 enters an 
uncontrolled endless loop or that control unit 10 enters an 
undefined and therefore irregular state. The defined state of 

3 0 control unit 10 may be achieved through a software reset, for 

example. For this purpose, computing unit 11 jumps, caused by 
the execution of the program instructions (arrow 28) , to a 
specific reset address (arrow 29) of a memory area of program 
memory 15, 20, in which computer program 21 is stored. 
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Computer program 21 then starts up again and the execution of 
computer program 21 starts from the beginning again. 

The defined state of control unit 10 may, however, also be 
5 achieved by executing an interrupt service routine or an error 
handling routine. For this purpose, computing unit 11 jumps, 
caused by the execution of the program instruction (arrow 28) , 
to a specific memory address of a memory area of program 
memory 15, 20, in which computer program 21 is stored. This 
10 memory address corresponds to the beginning of the interrupt 

service routine or the error handling routine. After execution 
of the interrupt service routine or the error handling 
routine, computing unit 11 may jump to the reset address in 
order to reset control unit 10. 

15 

The predefinable information stored in the unused memory areas 
is, for example, implemented as a program code in a 
hexadecimal format, known as hexadecimal code. Device 25 may, 
for example, include a hexadecimal editor for filling up the 

2 0 unused memory areas of program memory 15, 20. The hexadecimal 

code used for the predefinable information is to fulfill one 
of the following possible functions: 

filling up the entire unused memory area using at least 
25 one program instruction, which triggers a reset of control 

unit 10 (reset) in a controlled way. For a microcontroller of 
the type 80C166 from Siemens, this corresponds to an 
instruction SRST or illegal opcode, for example. 

3 0 - filling up the entire unused memory area using at least 

one program instruction, through which a jump is made into the 
interrupt service routine. 
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filling up the entire unused memory area using at least 
one program instruction, through which a jump is made into a 
special error handling routine. 

implementing at least one program instruction according 
to the three possibilities above only at the end of an unused 
memory area and possibly also at regular intervals, e.g., 
every 512 bytes. However, this requires that the other program 
instructions in the unused memory area do not cause jumps or 
endless loops. 

The control unit is to be reset using software, for example, 
at the end of the interrupt service routine and at the end of 
the error handling routine. The software reset results in a 
restart of control unit 10. Historical information about the 
precise location of the occurrence and its history may be 
stored, for example, during the interrupt service routine and 
during the error handling routine, e.g., return addresses. 
Conclusions about the frequency of the occurrence of an error, 
for example, may be drawn from this information. 
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